Go to listing page

Cyware Daily Threat Intelligence, September 23, 2021

Cyware Daily Threat Intelligence, September 23, 2021

Share Blog Post

Cybercrime-as-a-Service got a new offshoot called Phishing-as-a-Service (PHaaS). Researchers have released details of a phishing kit named BulletProofLink that provides over 100 phishing templates for known brands and services. The phishing kit has been part of many phishing campaigns launched by several attackers.

It’s not only the underground market that is evolving, new threat actors are also emerging to cause widespread destruction. A new APT group named FamousSparrow came under the scanner of researchers for using a new backdoor called SparrowDoor. The gang was found exploiting ProxyLogon vulnerability to target hotels, engineering firms, and government organizations. Meanwhile, a newly discovered TangleBot Android malware was found being distributed via fake COVID-19 regulations messages to target users in the U.S.

Top Breaches Reported in the Last 24 Hours

Coninsa Ramon H leaks data
More than one terabyte of data containing 5.5 million files has been leaked by the Colombian real estate firm, Coninsa Ramon H. The incident occurred due to a misconfigured AWS bucket that included clients’ names, photos, and addresses.

REvil hits out at affiliates
REvil ransomware operators are using a series of tactics to hijack victim cases of their affiliates. These include the use of a new backdoor that enables the secret decryption of files during the negotiation with victims and a double-chat setup that hijacks chats with victims.

Login credentials leaked
Design flaws in Microsoft Exchange’s Autodiscover feature have leaked around 100,000 login credentials for Windows domains worldwide. The affected clients include publicly traded companies in the Chinese market, food manufacturers, power plants, real estate, shipping & logistics, and fashion & jewelry.

FamousSparrow strikes
A new threat actor group dubbed FamousSparrow has been uncovered targeting hotels and international governments since at least 2019. The attackers targeted organizations in Brazil, Burkina Faso, Canada, France, Guatemala, Israel, Lithuania, Saudi Arabia, South Africa, Taiwan, Thailand and the United Kingdom. Most of the recent attacks were launched using the ProxyLogin vulnerability.

Crystal Valley hit
After NEW Cooperative, Minnesota-based farming supply firm Crystal Valley Cooperative has fallen victim to a ransomware attack that infected its computer systems. The firm had immediately shut down IT systems to contain the infection.

Data of LinkedIn users leaked
Approximately 187 GB of data belonging to more than 700 million LinkedIn users has been shared in private Telegram channels in the form of a torrent file. The scraped data includes LinkedIn profile names, ID, URL, and location information.

BulletProofLink operation
Microsoft has revealed details about a large-scale Phishing-as-a-Service (PHaaS) that involved selling phishing kits, email templates and hosting services at a low cost. Named BulletProofLink, the PHaaS includes over 100 phishing templates of known brands and services.

Top Malware Reported in the Last 24 Hours

New TangleBot malware
TangleBot is a newly discovered malware that is targeting Android users in the U.S. The malware is distributed via text messages that lure users with fake COVID-19 regulations. The malware is capable of stealing banking credentials, logging calls, camera, and microphone recordings.

Malicious iTerm2 app
A malicious version of iTerm2 app is being distributed via iTerm2[.]net to infect users across Asia. The primary purpose of the malware is to harvest credentials and other sensitive data. It also opens the door for other trojanized apps that are propagated via a backdoor.

New Jupyter versions
Six new versions of the Jupyter infostealer have been uncovered flying under the radar using MSI installer. Digitally signed certificates are also used to avoid detection.

Top Vulnerabilities Reported in the Last 24 Hours

VMware vCenter under attack
Threat actors have already started targeting unpatched VMware vCenter servers that are affected by a critical arbitrary file upload vulnerability. Tracked as CVE-2021-22005, the flaw impacts Server 6.7 and 7.0 deployments and can be exploited to remotely execute malicious code on systems.


tanglebot android malware
proxylogon vulnerability
famoussparrow apt group
phishing as a service phaas

Posted on: September 23, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.